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ABSTRACT 


With  increased  dependency  on  the  Internet,  cyber  attacks  are  fast  becoming  an  attractive 
option  for  state  adversaries,  in  part  because  of  the  ease  of  hiding  a  perpetrator’s  identity. 
In  response,  governments  around  the  world  are  taking  measures  to  improve  their  national 
cyber  defenses.  However,  these  defenses,  which  are  generally  passive  in  nature,  have 
been  insufficient  to  address  the  threats.  This  thesis  explores  the  possibility  of  employing 
active  cyber  defenses  to  improve  cyber  defenses  at  the  national  level.  Active  cyber 
defense  refers  to  the  use  of  offensive  actions,  such  as  counter  hacking  and  pre-emptive 
hacking,  among  others,  to  defend  against  cyber  attacks.  This  thesis  studies  the  typologies 
of  active  cyber  defense  and  examines  how  this  approach  can  enhance  a  state’s  cyber 
defense  posture. 
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I. 


INTRODUCTION 


A.  PURPOSE  AND  SCOPE 

The  purpose  of  this  thesis  is  to  study  the  benefits  of  applying  active  cyber 
defenses  to  enhance  cyber  defenses  at  a  national  level.  Based  on  the  definition  from  the 
U.S.  DoD  Dictionary  of  Military  Terms,  active  defense  refers  to  the  employment  of 
limited  offensive  action  and  counterattacks  to  deny  a  contested  area  or  position  to  the 
enemy.  1  Thus,  active  cyber  defense  would  refer  to  the  use  of  offensive  cyber  actions, 
such  as  counter  hacking  or  pre-emptive  hacking,  among  others,  within  cyberspace  to 
achieve  a  similar  outcome.  The  thesis  examines  the  limitations  of  existing  passive 
defenses  such  as  firewalls,  intrusion  detection/prevention  systems,  patching,  and  auditing. 
It  then  explores  different  types  of  active  defenses,  examines  their  strengths  and 
weaknesses,  and  studies  how  they  can  contribute  to  the  cyber  defense  posture. 

B.  BACKGROUND 

Cyber  attacks  are  becoming  an  attractive  option  for  the  enemies  of  a  state,  social 
movements,  terrorists,  etc.  One  reason  is  the  ever-increasing  reliance  on  computers  and 
the  Internet;  for  governments  and  militaries  around  the  world,  these  systems  have  become 
easy  targets. ^  It  has  been  reported  that  more  than  one  hundred  countries  are  trying  to 
break  into  the  United  States’  government  networks,  and  that  NATO  headquarters  receives 
more  than  one  hundred  cyber  attacks  each  day.^  Another  reason  for  an  adversary’s 
interest  in  cyber  attacks  is  the  ease  of  hiding  a  perpetrator’s  identify  on  the  Internet. 
Many  cyber  attacks  are  launched  via  compromised  computers,  thereby  masking  the  origin 
of  the  attacks.  For  example,  in  the  cyber  attacks  against  Georgia  in  2008,  the  distributed 


^  U.S.  DoD  Dictionary  of  Military  and  Associated  Terms, 
http ://w w w . dtic . mil/doctrine/dod  dictionarv/data/a/2043  .html . 

^  Lawrence  Gershwin,  “Cyher  Threat  Trends  and  U.S.  Network  Security,”  Statement  for  the  Record  to 
the  Joint  Economic  Committee,  National  Intelligence  Council,  21  June  2001, 
http://www.dni.gov/nic/testimonv  cvherthreat.html. 

^  Siohhan  Gorman  and  Stephen  Fidler,  “Cyher  Attacks  Test  U.S,  Allies,  and  Foes,”  Wall  Street 
Journal,  25  September  2010, 

http://online.wsi.eom/article/SB10001424052748703793804575511961264943300.html. 
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denial  of  service  (DDOS)  attacks  were  traced  to  multiple  “hacked”  computers  around  the 
world.  These  compromised  computers,  or  hots,  were  victims  themselves,  providing  a 
protective  layer  between  the  attacker  and  the  target  systems  in  Georgia.^  Another  similar 
example  was  the  cyber  attacks  on  Estonia  in  2007.  This  issue  of  attribution  is  further 
complicated  by  various  privacy  and  international  laws,  or  lack  thereof,  around  the  world.^ 

In  response,  governments  worldwide  have  taken  measures  to  improve  their 
national  cyber  defenses.  President  Obama  identified  cyber  attacks  as  one  of  the  most 
serious  economic  and  national  security  challenges  that  the  United  States  faces.  The 
administration  reviewed  cyber  policies  and  programs,  releasing  the  Comprehensive 
National  Cybersecurity  Initiative.^  Also,  the  U.S.  Cyber  Command  was  set  up,  achieving 
full  operational  capability  on  November  3,  2010.^  In  Europe,  NATO  established  the 
Cooperative  Cyber  Defence  Centre  of  Excellence  in  May  2008  to  enhance  NATO’s  cyber 
defense  capabilities.  The  center’s  mission  is  to  enhance  capability,  cooperation  and 
information  sharing  among  NATO’s  partners  through  education,  research  and 
development,  lessons  learned  and  consultation.*  In  addition,  many  Information 
Technology  (IT)  security  vendors  have  offered  innovative  products  to  enhance  cyber 
security. 

Despite  such  measures,  the  number  of  cyber  attacks  is  still  on  the  rise.  Cyber 
defense  can  spread  across  a  wide  spectrum,  ranging  from  prevention  and  response  to 
deterrence  and  investigation.  Today,  existing  cyber  defenses  are  generally  passive  in 
nature,  thereby  failing  to  extend  across  the  full  range  of  operations.  This  is  unlike 
traditional  war  fighting,  in  which  active  defenses  are  utilized  as  part  of  a  state’s  defense. 

“Overview  by  the  U.S.-CCU  of  the  Cyber  Campaign  Against  Georgia  in  August  of  2008,”  U.S.- 
Cyber  Consequence  Unit  Special  Report,  August  2009. 

^  Duncan  B.  Hollis  and  David  G.  Post,  “Do  Cyber- Attacks  Require  a  Duty  to  Assist?”  Law 
Technology  News,  29  April  29  2010, 

http://www.law.com/isp/lawtechnologvnews/PubArticleLTN.isp?id=1202453759405&slreturn=l&hbxlogi 

n=l. 

^  “The  Comphrehensive  National  Cybersecurity  Initiative,”  National  Security  Council, 
http://www.whitehouse.gov/cvbersecuritv/comprehensive-national-cvbersecuritv-initiative. 

^  “Cyber  Command  achieves  full  operational  capability,”  Air  Force  Space  Command,  3  November, 
2010,  http://www.afspc. af.mil/pressreleasearchive/storv. asp?id=123229293. 

*  NATO  Cooperative  Cyber  Defence  Center  of  Excellence,  http://www.ccdcoe.org. 
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As  Abraham  Sofaer  highlighted  in  his  book  The  Best  Defense?  Legitimacy  and 
Preventive  Force,  states  have  long  conducted  preventive  wars  as  forms  of  defense. ^ 

In  a  similar  regard,  in  the  National  Research  Council  (NRC)  report,  “Technology, 
Policy,  Law,  and  Ethics  Regarding  U.S.  Acquisition  and  Use  of  Cyberattack 
Capabilities,”  the  authors  briefly  touched  on  various  active  cyber  defenses,  such  as  non- 
cooperative  intelligence  gathering,  counterstrike,  and  preemptive  defense,  Non- 
cooperative  intelligence  gathering  refers  to  the  gathering  of  information  about  the  attack 
and  the  attacker  through  the  use  of  any  tools  or  means.  Counterstrike  refers  to  counter 
hacking  of  an  attacker’s  system.  Preemptive  defense  refers  to  the  conduct  of  an  attack  on 
an  adversary’s  system/network  in  imminent  anticipation  of  the  adversary  conducting  an 
attack  on  the  victim’s  own  system.^  Although  these  actions  are  highly  controversial,  12 
particularly  in  terms  of  legality  and  legitimacy,  they  may  be  able  to  contribute  and  offer 
something  new  to  an  overall  cyber  defense  posture. 

As  such,  this  thesis  seeks  to  determine  how  active  cyber  defense  can  help  in 
defending  against  cyber  attacks. 

C.  METHODOLOGY 

The  thesis  will  study  the  different  types  of  cyber  attacks  and  the  current  state  of 
defenses  against  them.  It  will  explore  the  different  typologies  of  active  cyber  defense  and 


^  Abraham  D.  Sofaer,  The  Best  Defense?  Legitimacy  and  Preventive  Force  (Stanford,  CA;  Hoover 
Institution  Press,  2010),  32-52. 

William  A.  Owens,  Kenneth  W.  Dam,  and  Herbert  S.  Lin,  “Technology,  Policy,  Law,  and  Ethics 
Regarding  U.S.  Acquisition  and  Use  of  Cyberattack  Capabilities,”  National  Research  Council  (Washington, 
D.C.;  The  National  Academies  Press,  2009),  142-149. 

Note  that  while  the  authors  refer  to  preemptive  defense  in  the  report,  it  is  likely  that  they  meant 
preventive  defense  instead.  Based  on  the  definition  by  Abraham  Sofaer,  a  preventive  strike  is  the  “use  of 
force  against  an  anticipated  attack  based  on  a  judgment  that  the  attacker  will  use  existing  or  potential  means 
to  attack  in  the  future,  or  to  engender  other  types  of  harm,  including,  for  example,  harm  to  hostages,  attacks 
by  non-state  actors,  or  the  mistreatment  by  a  State  of  its  own  nationals.”  As  for  preemptive  strike,  it  refers 
to  strikes  that  uses  “force  against  an  attack  that  is  believed  to  be  imminent  based  on  evidence  that  hostile 
action  has  begun  or  is  about  to  occur.” 

1 1  Ibid. 

12  Ibid.,  239-241. 
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discuss  what  they  can  offer.  It  will  then  discuss  three  cases  of  cyber  attack  and  illustrate 
the  key  benefits  that  active  cyber  defenses  could  have  offered  for  each  of  the  cases. 

D.  OVERVIEW 

Chapter  I  introduces  the  purpose  and  scope  of  the  thesis,  i.e.  to  study  the  benefits 
of  employing  active  cyber  defenses  as  a  complement  to  passive  cyber  defenses  in  order  to 
better  counter  cyber  attacks  at  a  national  level.  It  also  provides  some  background  on  the 
current  state  of  cyber  defense. 

Chapter  II  discusses  the  different  types  of  cyber  attacks  and  the  passive  defenses 
that  are  customarily  used  against  them.  It  will  highlight  some  of  the  limitations  and 
challenges  of  these  defenses.  The  chapter  will  then  touch  on  the  specific  difficulties 
encountered  in  actual  cases  of  cyber  attacks. 

Chapter  III  lays  out  the  different  typologies  of  active  cyber  defense.  These  are 
cyber  exploitation,  counter  hack,  preemptive  cyber  attack,  and  preventive  cyber  attack. 
For  each  of  the  typologies,  their  characteristics,  strengths  and  weaknesses  will  be 
examined.  The  chapter  will  then  discuss  how  these  methods  can  help  in  an  overall  cyber 
defense  posture. 

Chapter  IV  examines  three  major  cases  of  cyber  attacks  and  study  how  active 
cyber  defense  could  have  helped  in  defending  against  the  attacks.  The  cases  are: 
GhostNet,i3  the  worm  that  carried  out  cyber  espionage;  cyber  attacks  that  occurred 
against  Estonia  in  2007;!'^  and  Stuxnet,!^  the  worm  targeted  at  disrupting  industrial 
control  systems. 


“Tracking  GhostNet;  Investigating  a  Cyber  Espionage  Network,”  Information  Warfare  Monitor,  29 
March  2009,  http://www.infowar-monitor.net/ghostnet. 

Roland  Heickero,  “Emerging  Cyber  Threats  and  Russian  Views  on  Information  Warfare  and 
Information  Operations,”  2010. 

“W32.Stuxnet  Dossier  Version  1.4,”  Symantec  Security  Response,  Eebruary  2011, 
http://www.svmantec.com/content/en/us/enterprise/media/securitv  response/whitepapers/w32  stuxnet  dos 

sier.pdf. 
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Chapter  V  summarizes  the  findings  of  the  earlier  chapters  and  reviews  the 
benefits  of  active  cyber  defense.  In  conclusion,  it  will  also  highlight  some  possible  areas 
for  further  research. 
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II.  UNDERSTANDING  CYBER  ATTACK  AND  DEFENSE 


A.  INTRODUCTION 

Cyber  attacks  are  generally  considered  to  be  attacks  on  computer  systems  and 
networks.  The  attacks  can  originate  from  individuals,  groups,  and  nation-states  for  a 
variety  of  reasons.  Regardless  of  motivation,  they  often  aim  to  alter  or  steal  information, 
or  to  disrupt  the  computer  system  or  network.  As  there  is  a  wide  range  of  attacks  of 
varying  magnitude,  this  chapter  will  focus  on  the  more  noteworthy  types.  It  will  also 
discuss  current  defenses  against  them  and  examine  particular  cyber  attacks  that  had 
significant  impact. 

B.  TYPES  OF  CYBER  ATTACK 

I.  Web  Defacement 

Web  defacements  are  attacks  that  alter  the  contents  of  a  website  or  hijack  its 
domain  name,  redirecting  users  to  a  false  site.  As  reported  by  Zone-H,  a  website  archive 
of  versions  of  defaced  websites,  the  number  of  web  defacement  attacks  has  been  rising 
consistently.  There  were  300,000  web  defacements  recorded  in  2003.  However,  in  2010, 
the  numbers  increased  to  an  astounding  1,400,000.1®  Until  May  2011,  there  had  already 
been  approximately  400,000  defacements  reported  (see  Figure  1).  The  attackers  range 
from  script  kiddies to  the  politically  motivated  skilled  hackers. 


Zone-H.org,  “Unrestricted  information,  Yearly  &  Monthly  &  Daily  attacks,”  http://www.zone- 
h.org/stats/ymd. 

In  a  Carnegie  Mellon  report  prepared  for  the  U.S.  Department  of  Defense  in  2005,  script  kiddies  are 
defined  as  “the  more  immature  hut  unfortunately  often  just  as  dangerous  exploiter  of  security  lapses  on  the 
Internet.  The  typical  script  kiddy  uses  existing  and  frequently  well  known  and  easy-to-find  techniques  and 
programs  or  scripts  to  search  for  and  exploit  weaknesses  in  other  computers  on  the  Internet  -  often 
randomly  and  with  little  regard  or  perhaps  even  understanding  of  the  potentially  harmful  consequences.” 
See  Nancy  Mead,  Eric  Hough,  and  Theodore  Stehney,  “Requirements  Engineering  (Square)  Methodology), 
Carnegie  Mellon  Software  Engineering  Institute  (November  2005):  56, 
http://www.cert.org/archive/pdf/05tr009.pdf. 
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Figure  1.  Number  of  web  defacement  attacks  from  January  2003  to  October  201 1 

A  good  example  of  politically  motivated  web  defacement  occurred  during  the  war 
against  Iraq  in  2003.  According  to  F-Secure,  web  defacements  started  forty-eight  hours 
preceding  the  attack  on  Iraq,  and  continued  to  increase  during  the  war.  The  site  F-Secure 
classified  the  responsible  hackers  into  three  groups:  U.S. -based  patriotic  hackers,  Islamic 
extremist  groups  from  around  the  world,  and  peace  activitists  who  were  against  the  war.i^ 
Figure  2  shows  the  number  of  web  defacements  that  occurred  during  the  tenth  to  twelfth 
weeks  of  the  war  against  Iraq. 


“Unrestricted  information!  Yearly  &  Monthly  &  Daily  Attacks,”  http://www.zone-h.org/stats/vmd. 

“Iraq  War  and  Information  Security,”  F-Secure,  28  March  2003,  http://www.f-secure.com/virus- 
info/iraq.shtml. 
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Figure  2.  Number  of  web  defaeements  during  week  10-12^0 

In  another  example,  the  haeker  group  “Iranian  Cyber  Army”  hijaeked  the  Voiee 
of  Ameriea  (VGA)  website  in  February  2011,  posting  a  statement  demanding  that  the 
U.S.  Secretary  of  State,  Hillary  Clinton,  listen  to  “the  voice  of  oppressed  nations”  and 
“stop  interfering  in  Islamic  countries.”  This  group  was  also  responsible  for  hijacking 
Twitter  in  December  2009.21 

2.  Denial  of  Service/Distributed  Denial  of  Service  (DDOS) 

Denial  of  service  (DOS)  attacks  aim  to  cripple  or  disrupt  access  to  their  targets. 
Typically  this  is  achieved  by  consuming  the  bandwidth  of  the  target’s  network  or 
exhausting  resources  on  the  target’s  system.22  Often,  DOS  attacks  are  carried  out  via 
botnets,  which  are  networks  of  compromised  machines  that  have  been  infected  with 


20  “Iraq  War  and  Information  Security,”  http ://w w w .f-secure. com/virus-info/iraq . shtml . 

21  William  Ide,  “Iranian  Hackers  Attack  VOA  Internet  Sites,”  Voice  of  America,  22  February  2011, 
http://www.voanews.com/english/news/usa/Iranian-Hackers-Attack-VOA-Intemet-Sites-l  16678844.html. 

22  “Uses  of  botnet,”  The  Honeynet  Project,  10  August  2008,  http://www.honevnet.org/node/52. 
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malware  and  placed  under  control  of  the  attacker.  Botnets  tend  to  stay  dormant  until  they 
are  given  some  tasks  from  their  command  and  control  server,  which  can  be  located  in  any 
part  of  the  world.  They  are  most  often  used  to  send  spam,  but  they  are  also  used  for  fraud 
and  to  perform  denial  of  service  attacks,  with  the  botnet  as  a  whole  conducting  what  is 
then  called  a  distributed  denial  of  service  (DDOS)  attack.23 

3.  Malware  (Malicious  Software)  Attack 

This  classification  includes  various  forms  of  malware  such  as  viruses,  worms,  and 
Trojans. 34  Viruses  are  programs  that  can  attach  themselves  to  other  software  and  then 
replicate  when  that  software  is  executed.  The  effects  can  range  from  stealing  sensitive 
information  to  causing  disruption.  Worms  are  self-replicating  malware.  They  can  scan  for 
vulnerable  systems  and  exploit  them.  They  can  also  spread  via  removable  devices  such  as 
USB  thumb  drives,  an  example  being  the  Stuxnet  worm.  Trojans  are  malicious  code 
hidden  inside  legitimate  software  to  avoid  detection.  Often  these  are  backdoors  that  allow 
the  attacker  full/remote  access  to  the  systems  that  are  infected.  Although  they  do  not 
spread  on  their  own,  they  can  reach  millions  of  targets  through  spam  and  web  downloads. 
An  example  of  this  is  the  Zeus  Trojan. 25 

4.  Zero-Day  Attacks 

These  attacks  occur  when  an  attacker  (humans  or  artificial-intelligence  controlled 
malware)  exploits  a  computer  system  through  an  unpublished  vulnerability  for  which  no 
patch  (fix)  has  been  issued.26  While  such  attacks  are  much  less  frequent  than  those  that 
exploit  known  vulnerabilities  for  which  the  vendors  have  released  patches,  they  are  far 
more  difficult  to  detect  and  defend  against  since  their  signatures  will  not  be  incorporated 


23  “Botnets,”  Shadowserver,  http://www.shadowserver.org/wiki/pmwiki.php/Information/Botnets. 

24  “Glossary,”  McAfee,  http ://home .mcafee .com/V irusInfo/Glos sary . aspx. 

25  Elinor  Mills,  “Zeus  Trojan  Steals  $1  Million  from  U.K.  Bank  Accounts,”  CNET,  10  August  2010, 
http://news.cnet.eom/8301-27080  3-20013246-245.html. 

26  Tony  Bradley,  “Zero  Day  Exploits,”  Internet/Network  Sercurity,  Ahout.com, 
http://netsecuritv.ahout.eom/od/newsandeditoriall/a/aazerodav.htm. 
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into  anti- malware  products.  Moreover,  even  after  a  vendor  has  discovered  or  been 
notified  of  a  security  flaw,  it  may  take  some  time  before  a  security  update  is  developed 
and  released. 

C.  TYPES  OF  CYBER  DEFENSE 

Many  IT  security  product  vendors  have  been  rigorously  promoting  cutting-edge 
security  solutions  and  products  to  defend  against  various  forms  of  cyber  attacks.  In 
addition,  organizations  have  been  tightening  and  enforcing  more  stringent  policies.  Such 
policies  cover  the  storage  and  handling  of  classified  data,  background  screening  of 
individuals  involved  in  sensitive  job  functions,  password  requirements,  types  of  personal 
communication  devices  allowed,  types  of  data  allowed  to  flow  between  networks,  and  the 
frequency  in  which  servers  should  be  patched.^^  Table  1  briefly  describes  some  of  the 
current  defense  strategies  for  the  types  of  attacks  mentioned  in  the  previous  section. 


“Information  Security  Policy  Templates,”  SANS,  http://www.sans.org/securitv-resources/policies. 


11 


Table  1.  Defenses  against  cyber  attacks. 


Attack  Type 

Recommended  defenses  -  Policies  and  Technology 

Web  Defacement 

Ensure  servers  are  patched  regularly 

Ensure  web  scripts  are  well  written 

Check  user  input  to  prevent  SQE  (Structured  Query 
Eanguage)  injection's 

Deploy  software  to  automatically  restore  baseline  copy 
of  defaced  web  pages,  e.g.,  Tripwire  Remediation 
Manager29 

DDOS 

Ensure  servers  are  patched  regularly 

Have  firewalls  filter  out  malformed  packets 

Maintain  a  Blacklist  of  attacking  IP  addresses 

Have  bandwidth  redundancy 

Use  load  distribution  and  abnormal  request  filtering, 
e.g.,  Akamai^O 

Malware  attack 

Have  firewalls  filter  out  malformed  packets 

Deploy  Intrusion  Detection  System  (IDS)  /  Intrusion 
Prevention  System  (IPS)  /  Anti-Virus  (AV),  and  ensure 
their  signatures  are  updated  regularly 

Monitor  network  traffic 

Use  application  white  listing,  e.g.,  Bouncer^i 

Zero-day  attack 

Deploy  an  anomaly  monitoring  system,  e.g., 
Netwitness32 

SQL  injection  is  an  attack  in  which  malicious  code  is  inserted  into  instances  of  SQL  server  for 
parsing  and  execution.  See  MSDN,  Microsoft,  http://msdn.microsoft.com/en-us/librarv/msl61953.aspx. 

“Automated  Correction  of  Bad  IT  Configurations,”  Tripwire,  http://www.tripwire.com/it- 
compliance-products/te/remediation/. 

“Akamai  Security  Solutions,”  Akamai, 
http://www.akamai.com/html/solutions/securitv/ddos  defense.html. 

“Inttoducing  Bouncer  by  CoreTrace,”  CoreTrace, 
http://www.coretrace.com/products/BOUNCER  by  CoreTrace/default.aspx. 

“Spectrum,”  Netwitness,  http://netwitness.com/products-services/spectrum. 
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A  cyber  attack  is  often  multifaceted  sinee  it  ean  involve  a  eombination  of  the 
attacks  mentioned  above.  For  example,  in  the  ease  of  a  worm  attaek,  it  could  spread  by 
exploiting  miseonfigured  servers,  or  exploiting  both  known  and  unknown  (zero-day) 
vulnerabilities.  After  the  initial  attacks,  malware  sueh  as  Trojans  and  backdoors  could  be 
installed  in  the  compromised  systems.  Such  malware  could  also  spread  through 
removable  devices  as  in  the  case  of  Stuxnet,  or  through  spam  or  web  downloads.  Once 
installed,  the  malware  could  communicate  with  remote  servers  to  receive  instructions  for 
data  collection,  sabotage,  or  eondueting  DDOS  attacks.  All  these  signify  the  eomplexities 
and  sophistieation  of  cyber  attacks  and  suggest  that  existing  defenses  may  not  be 
suffieient. 

D.  THE  REALITY 

Based  on  the  U.S.  Defense  Department  Military  Dictionary,  passive  defense 
refers  to  “measures  taken  to  reduee  the  probability  of  and  to  minimize  the  effeets  of 
damage  caused  by  hostile  action  without  the  intention  of  taking  the  initiative. ”^3  These 
measures  are  exaetly  what  the  above  defensive  strategies  are  about.  The 
reeommendations  serve  to  prevent  or  limit  the  impact  of  a  cyber  attaek.  When  defenses 
are  properly  implemented,  they  may  help  with  forensic  investigation  and  damage  eontrol, 
shorten  the  time  for  response  and  recovery,  and  deter  future  attacks. 

Unfortunately,  results  of  these  measures  have  not  been  optimal  as  shown  by  the 
continual  increase  in  the  number  of  cyber  attacks.  None  of  the  above  defenses  has  been 
fully  sueeessful. 

1.  Increased  Opportunities 

With  the  number  of  vulnerabilities  increasing  over  the  years  as  reported  by  the 
IBM  X-Force34  (see  Figure  3),  there  are  more  opportunities  for  potential  attackers  than 
ever  before. 


33  “Passive  Defense,”  Answers.com,  http ://w w w . answers  .com/topic/pas sive-defense . 

34  The  IBM  X-Force  is  a  R&D  team  that  studies  and  monitors  the  latest  threat  trends  including 
vulnerahilities,  exploits,  viruses  and  other  malware,  spam,  phishing,  and  malicious  weh  content.  See 
http://www-03.ihm.com/securitv/landscape.html. 
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Vulnerability  Disclosures  Growth  by  Year 
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Figure  3.  Vulnerabilities  growth  by  year 


Apart  from  the  increase  in  vulnerabilities,  the  attacks  are  also  becoming  more 
sophisticated.  To  make  matters  worse,  vendors  require  time  to  develop  and  test  their 
security  updates  before  offering  them  to  their  customers.  And,  at  the  enterprise  level, 
additional  tests  are  needed  to  ensure  the  security  updates  are  compatible  with  all  existing 
components  and  do  not  disrupt  functionality.  As  such,  there  is  often  a  fairly  large  window 
of  opportunity  for  attacks  to  continue  to  be  effective.  Adding  to  this  window  of 
opportunity  is  the  fact  that  often  vulnerabilities  remain  undisclosed  for  a  period  of  time.^s 

2.  Difficulty  in  Detection  and  Filtration 

Another  reality  is  that  it  is  difficult  to  detect  something  that  exploits  an  unknown 
vulnerability  or  uses  a  new  avenue  of  attack.  Moreover,  it  is  difficult  to  defend  the 

Bryan  Casey,  “Over  8000  New  Vulnerabilities  Disclosed  in  2010  -  That’s  a  Record,”  The  IBM 
Institute  for  Advanced  Security  Expert  Blog,  31  March  201 1, 

http://www.instituteforadvancedsecuritv.com/expertblog/201 1/03/3  l/over-8000-new-vulnerabilities- 

disclosed-in-2010-thats-a-record/. 
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perimeter  of  the  network  without  knowing  from  where  an  attack  originates.  Thus,  such  a 
perimeter  defense  becomes  very  reactive  and  may  not  be  able  to  shut  down  an  attack.  For 
example,  an  attacker  can  first  launch  a  series  of  attacks  on  a  target  from  IP  addresses 
originating  from  Europe.  The  target,  upon  detecting  the  origin  of  these  attacks,  can 
immediately  configure  new  rules  on  its  firewall  to  drop  incoming  traffic  from  those  IP 
addresses.  However,  the  attacker  can  easily  overcome  this  by  utilizing  IP  addresses  from 
another  location.  This  shows  that  such  a  blacklisting  approach  is  not  very  effective. 
Another  approach  would  be  to  make  use  of  white  listing. 36  However,  depending  on  the 
nature  of  the  business,  such  an  approach  may  not  always  be  applicable.  For  example,  in 
the  case  of  the  website  of  a  ministry  of  foreign  affairs,  it  would  be  difficult  to  have  a 
white  list,  since  the  website  needs  to  be  accessible  from  all  addresses. 

Furthermore,  skilled  attackers  can  utilize  sophisticated  covert  channels^^  to  ensure 
their  activities  remain  obscure  and  hidden  from  network  traffic  monitoring  systems 
and/or  intrusion  detection  systems.  An  example  of  such  a  channel  is  the  HTTP  Tunnel. 
Utilizing  this  application,  an  attacker  can  disguise  his  traffic  to  look  like  regular  web 
surfing  traffic,  thereby  preventing  detection  by  the  network  monitoring  systems. 3^ 

While  there  are  new  defense  technologies  such  as  behavioral  analysis  and 
anomaly  detection,  they  are  not  mature  as  yet  and  often  lead  to  many  false  positives. 

3.  Attribution 

Apart  from  detecting  the  attack  signal  itself,  the  other  challenge  is  attribution. 
This  problem  can  be  divided  into  two  parts:  technical  attribution  and  human  attribution. 39 
Technical  attribution  involves  the  analysis  of  technical  components  of  the  cyber  attack  to 
trace  and  locate  the  IP  address  of  the  machine  originating  the  attack.  Human  attribution 

36  The  use  of  a  white  list  refers  to  the  maintenance  of  a  list  of  allowed  IP  addresses,  as  opposed  to  a 
black  list,  which  is  a  list  of  disallowed  IP  addresses. 

3”^  A  covert  channel  is  a  communication  channel  that  is  hidden  or  disguised  within  a  legitimate 
communication  channel.  See  http://www.sans.org/reading  room/whitepapers/covert/. 

38  http  Tunnel,  http://www.http-tunnel.com/html/. 

39  W.  Earl  Boebert,  “A  Survey  of  Challenges  in  Attribution,”  Proceedings  of  a  Workshop  on 
Deterring  Cyber  Attacks:  Informing  Strategies  and  Developing  Options  for  U.S.  Policy,  National  Research 
Council  (Washington,  D.C.:  The  National  Academies  Press),  43. 
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involves  the  analysis  of  all  avenues  of  information  pertinent  to  the  attack  to  identify  the 
person  or  organization  responsible  for  the  attack.  Both  aspects  of  attribution  are  a 
challenge  owing  to  the  multiple  barriers  (or  techniques)  by  which  attackers  can  mask 
their  routes.  These  include  the  use  of  botnets,  The  Onion  Router  (TOR),"^^  and  covert 
channels,  etc. 

E.  SOME  CASES  OF  CYBER  ATTACKS 

1.  Conficker 

The  Conficker  worm  is  responsible  for  one  of  the  largest  worm  infections  to  date. 
First  detected  on  November  21,  2008,  it  spread  to  over  seven  million  government, 
business,  and  home  computers  in  over  two  hundred  countries."^!  Some  of  the  more 
severely  impacted  victims  include  the  French  Navy,"^^  where  fighter  planes  were 
grounded  due  to  the  worm  infection,  and  the  United  Kingdom’s  Navy,  where  as  many  as 
three-quarters  of  its  ships  had  infected  computers. Over  a  period  of  six  months,  the 
worm  upgraded  itself  five  times,  each  time  adding  new  functionalities  such  as  infection 
vectors,  propagation  and  communications  methods  and  even  self-defense  mechanisms. 
This  illustrates  how  upgrades  compound  the  difficulty  in  defending  against  such 
advanced  malware.  Each  time  a  new  defense  mechanism  is  in  place,  such  as  an  updated 
signature  for  the  anti-virus  or  intrusion  prevention  system,  the  worm  can  be  upgraded  to 
defeat  that  mechanism.  In  this  manner,  defenses  will  always  be  one  step  behind  attacks. 

2.  GhostNet 

GhostNet  refers  to  a  massive  case  of  cyber  espionage  against  the  Tibetan 
community,  India,  and  other  targets,  allegedly  perpetrated  by  China.  Based  on  a  study 

TOR  is  a  network  of  virtual  tunnels  that  allow  users  to  anonymize  their  traffic.  See 
http://www.torproiect.org/about/overview.html.en. 

Conficker  Working  Group, 

http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/Introduction. 

Kim  Willsher,  “French  Fighter  Planes  Grounded  by  Computer  Virus,”  The  Telegraph,  1  February 
2009,  http://www.telegraph.co.uk/news/worldnews/europe/france/4547649/French-fighter-planes- 

grounded-bv-computer-virus.html. 

Lewis  Page,  “MoD  Networks  Still  Malware-Plagued  After  Two  Weeks,”  The  Register,  20  January 
2009,  http://www.theregister.co.uk/2009/01/20/mod  malware  still  going  strong/. 
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conducted  by  Information  Warfare  Monitor,  the  GhostNet  malware  infeeted  over  1300 
eomputers  in  103  eountries,  of  whieh  as  many  as  30%  were  eonsidered  high-value  targets 
loeated  at  various  ministries  of  foreign  affairs,  embassies,  and  other  government 
faeilities  Through  reverse  engineering  of  the  GhostNet  system,  the  Information 
Warfare  Monitor  found  a  “eovert,  diffieult-to-deteet  and  elaborate  eyber-espionage 
system  capable  of  taking  full  control  of  affected  systems. However,  despite  the  in- 
depth  research  conducted  by  the  Information  Warfare  Monitor,  no  conclusion  could  be 
drawn  as  to  who  was  ultimately  in  control  of  GhostNet.  The  attackers’  IP  addresses, 
while  traeed  to  Hainan  Island,  China,  were  insuffieient  to  implieate  any  involvement  of 
the  Chinese  government.  The  eomputers  with  those  IP  addresses  eould  have  been 
eompromised  proxy  eomputers  used  to  deliberately  mislead  the  true  attaeker.  This  attaek 
emphasized  two  important  issues.  Many  government  networks  eontinue  to  be  vulnerable, 
and  more  importantly,  attribution  in  cyber  space  is  extremely  difficult  to  establish. 
Attribution  is  especially  important,  because  without  solving  it,  appropriate  actions  cannot 
be  carried  out  against  a  perpetrator. 

3.  Stuxnet 

Stuxnet  was  the  first  worm  targeted  at  industrial  control  systems.  Such  systems 
are  used  in  gas  pipelines  and  power  plants.  Attacks  against  these  systems  are  especially 
serious  because  in  the  design  of  many  industrial  control  systems,  seeurity  has  never  been 
a  foeus,  leaving  these  systems  vulnerable.  While  Stuxnet  shares  similar  eharaeteristics 
with  the  Confieker  worm,  it  is  far  more  eomplex.  Apart  from  utilizing  very  advaneed 
techniques  to  aehieve  stealth  eapability  and  propagation  via  USB  stieks,  Stuxnet  eontains 
sophistieated  eode  to  reprogram  a  Program  Logie  Controller  in  order  to  eause  physieal 
damages  (Stuxnet  is  believed  to  have  damaged  about  one  thousand  eentrifuges  at  Iran’s 
nuelear  enriehment  faeility  at  Natanz)  and  exploits  four  zero-day  vulnerabilities. While 
this  worm  was  only  diseovered  in  July  2010,  Symantee  Seeurity  Response  (SSR)  was 

“Tracking  GhostNet;  Investigating  a  Cyber  Espionage  Network,”  http://www.infowar- 
monitor.net/ghostnet. 

45  Ibid.,  6. 

46  “W32. Stuxnet  Dossier  Version  1.4.” 
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able  to  confirm  that  it  existed  at  least  one  year  prior  to  that.  The  SSR  also  observed  over 
40,000  unique  external  IP  addresses,  spanning  155  countries.  The  successful  spread  of 
Stuxnet  further  brings  to  question  whether  existing  cyber  defenses  are  adequate, 
especially  in  the  case  of  industrial  control  systems. 

F.  CONCLUSION 

Cyber  attacks  have  become  more  pervasive  and  more  serious.  This  may  be  due  to 
several  factors,  including  an  increase  in  the  use  of  computers  across  many  sectors  such  as 
government,  military,  industry,  and  finance;  an  increase  in  actors  wishing  to  exploit  and 
attack  these  computers  for  economic,  political,  and  other  advantages;  and  a  growing 
supply  of  new  vulnerabilities  along  with  attack  tools  to  exploit  them,  as  well  as  all  the 
previously  discovered  vulnerabilities  that  have  not  been  fixed  in  victim  computers.  As 
presented  by  the  different  cases  discussed,  the  attacks  have  also  become  increasingly 
sophisticated.  Not  only  have  they  been  able  to  defeat  many  of  their  targets’  cyber 
defenses,  their  perpetrators  have  been  difficult  to  trace  and  identify.  Apart  from 
continuing  to  improve  existing  defenses,  which  are  passive,  there  is  a  need  to  consider 
employing  active  cyber  defenses.  In  the  following  chapters,  the  thesis  will  examine  how 
active  defenses  have  contributed  to  traditional  warfare,  and  how  some  of  the  concepts 
could  be  applied  to  cyber  defense. 
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III.  ACTIVE  CYBER  DEEENSE 


A.  INTRODUCTION 

As  mentioned  earlier,  active  defenses  refer  to  the  employment  of  limited  offensive 
actions  (such  as  preventive  and  preemptive  strikes)  and  counterattacks  to  deny  a 
contested  area  or  position  to  the  enemy.  These  strategies  have  long  been  an  integral  part 
of  traditional  domains  of  warfare.  They  have  been  used  to  preempt  a  capability,  to 
prevent  a  war,  and  to  counter  attacks. 

In  the  context  of  cyber  defense,  active  defenses  can  be  utilized  in  the  same 
manner.  This  chapter  will  discuss  the  typologies  of  active  cyber  defense,  what  they  can 
offer,  and  how  they  can  help  in  defending  against  cyber  attacks. 

B.  TYPOLOGIES  OF  ACTIVE  CYBER  DEFENSE 

In  broad  terms,  the  typologies  of  active  cyber  defense  can  be  categorized  into 
exploitation,  counter  attack,  preemptive  attack,  and  preventive  attack. 

I.  Cyber  Exploitation 

This  typology  refers  to  the  exploitation  of  computer  systems  involved  in  a  cyber 
attack  in  order  to  obtain  intelligence  that  can  aid  in  the  analysis  of  the  attack  and  in 
determining  attribution. 

During  or  after  a  cyber  attack,  passive  defenses  such  as  forensics  and  auditing  of 
logs  can  only  reveal  the  IP  addresses  of  the  immediate  attack  sources.  However,  as 
discussed  before,  many  attacks  are  launched  through  multiple  hops,  consisting  of  hacked 
computers.  Thus,  to  determine  the  true  origin  of  an  attack,  an  effective  way  to  trace 
through  the  attack  path  undertaken  by  the  attacker  is  needed. 

One  widely  researched  technique,  which  does  not  require  any  exploitation  of  the 
attacking  computers,  is  IP  traceback.^^  However,  this  technique  is  not  yet  mature. 


Andrey  Belenky  and  Nirwan  Ansari,  “IP  Traceback  with  Deterministic  Packet  Marking,”  IEEE 
Communications  Letters  7,  no.  4  (April  2003);  162. 
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resulting  in  compatibility  and  performance  issues  Also,  the  attribution  systems  built  on 
techniques  such  as  IP  traceback  need  to  be  implemented  at  as  many  ISPs  as  possible  in 
order  for  results  to  be  accurate This  raises  the  issue  of  cost.  Without  any  financial 
gain,  there  is  little  motivation  for  the  ISPs  to  implement  attribution  systems,  even  if  they 
are  working  perfectly.  Furthermore,  the  trustworthiness  of  the  information  may  be 
questionable  when  a  non-friendly  country  is  involved. For  illustration,  there  may  be 
network  traffic  transmitted  from  the  U.S.  to  Russia  over  a  network  that  extends  into  the 
North  Korean  network.  To  what  extent  will  the  North  Koreans  be  willing  to  cooperate  to 
release  attribution  information?  And  even  if  they  were  willing  to  release  the  information, 
would  it  be  reliable? 

Through  cyber  exploitation,  these  issues  may  be  avoided.  After  obtaining  the  last 
IP  address  of  the  computer  used  by  the  attacker  (based  on  results  from  forensics  and  log 
audits),  the  computer  could  be  exploited  or  “hacked  back.”  After  gaining  access,  in-depth 
analysis  could  determine  the  next  system  in  the  chain.  By  repeating  the  process,  the 
attack  path  could  be  identified,  eventually  leading  to  the  computer  used  for  the  attack.^! 
Once  that  is  achieved,  forensic  needs  to  be  performed  on  this  computer  so  as  to  determine 
the  owner  of  the  computer.  By  investigating  the  documents  stored  on  the  computer,  web 
surfing  history  and  cache  files,  e-mails,  etc.,  the  owner  or  user  of  that  computer  could  be 
identified.52  xhe  information  retrieved  from  the  investigation  may  then  provide  clues  as 
to  who  the  mastermind  is,  and  whether  a  state  is  involved.  For  example,  there  could  be  an 
e-mail  conversation  or  document  containing  instructions  from  some  state  official. 
However,  that  would  be  inconclusive  since  the  official  could  be  acting  on  his  own  accord. 

Ping  Wang  et  al.,  “A  New  Approach  for  Solving  the  IP  Tracehack  Problem  for  Weh  Security,” 
Advances  on  Information  Sciences  and  Service  Sciences  3,  no.  2  (March  2011). 

Jeffrey  Hunker,  Boh  Hutchinson,  and  Jonathan  Margulies,  “Role  and  Challenges  for  Sufficient 
Cyher-Attack  Attrihution,”  Institute  for  Information  Infrastructure  Protection,  January  2008, 
http://ww.thei3p.org/docs/puhlications/whitepaper-attrihution.pdf 

Matt  Bishop,  C.  Gates,  and  J.  Hunker.  “The  Sisterhood  of  the  Traveling  Packets,”  In  Proceedings  of 
the  2009  Workshop  on  New  Security  paradigms,  2009,  61. 

^  ^  David  Wheeler  and  Gregory  Larsen,  “Techniques  for  Cyher  Attack  Attrihution,”  Institute  For 
Defense  Analyses,  October  2003,  23. 

Keith  Jones,  Richard  Bejtlich,  and  Curtis  Rose,  Real  Digital  Forensics  (New  Jersey:  Addison- 
Wesley,  2008),  205-300. 
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To  get  to  the  truth,  more  investigation  would  be  needed.  The  official’s  computer  could  be 
exploited.  By  monitoring  his  e-mails  and  documents,  more  clues  and  evidence  may  be 
gathered.  In  any  case,  there  would  be  technical  and  legal  considerations  concerning  such 
exploitation.  These  will  be  discussed  at  the  end  of  this  chapter. 

At  this  point,  appropriate  legal  actions  could  be  taken  against  the  attacker,  or  if 
the  attacker  were  a  foreign  government,  actions  such  as  economic  sanctions, 
conventional/cyber  counter  attack,  and  others,  could  be  taken.  Or  perhaps  for  strategic 
reasons,  the  defending  nation  may  even  choose  not  to  reveal  its  knowledge  of  the 
attacker.  Regardless,  the  capacity  to  undertake  such  a  cyber  exploitation  to  achieve  a 
more  thorough  attack  analysis  and  attribution  leads  to  deterring  potential  attackers. 

Many  attackers  would  take  advantage  of  the  very  architecture  of  the  Internet  to 
mask  their  traces.  In  doing  so,  they  could  then  carry  out  their  attacks  without  any  fear  of 
being  identified  or  facing  other  consequences.  They  would  compile  a  pool  of  vulnerable 
computers  that  they  have  hacked,  and  subsequently  log  in  through  a  series  of  these 
hacked  computers  before  launching  the  attack.53  Alternatively,  they  could  also  connect 
via  anonymous  proxy  servers  or  TOR  to  launder  their  traffic. While  a  counter  attack  on 
the  attacker  may  not  be  possible  until  an  actual  location  is  determined,  it  can  still  be 
useful.  As  discussed  previously,  exploiting  the  various  hacked  computers  would  allow 
the  reconstruction  of  the  attack  path,  which  in  turn  would  reveal  the  location  of  the 
attacker.  Once  that  is  obtained,  actions  could  be  taken  to  disable  the  attacker’s  systems. 
Knowing  that  he  may  no  longer  hide  in  the  shadows  of  the  Internet  and  that  his  systems 
may  be  attacked,  he  is  likely  to  be  further  deterred. 

2.  Counter  Attack 

The  U.S.  Department  of  Defense  defines  counter  attack  as  an  “attack  by  part  or  all 
of  a  defending  force  against  an  enemy  attacking  force,  for  such  specific  purposes  as 
regaining  ground  lost  or  cutting  off  or  destroying  enemy  advance  units,  and  with  the 

Stuart  Staniford-Chen,  L.  Todd  Heberlein,  “Holding  Intruders  Accountable  on  the  Internet,” 
Proceedings  1995  IEEE  Symposium  on  Security  and  Privacy,  IEEE,  May  1995,  39. 

“Tor;  Overview,”  Tor  project,  http://www.torproiect.org/about/overview.html.en. 
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general  objective  of  denying  to  the  enemy  the  attainment  of  the  enemy’s  purpose  in 
attacking.  In  sustained  defensive  operations,  it  is  undertaken  to  restore  the  battle  position 
and  is  directed  at  limited  objectives. An  example  of  a  counter  attack  in  history  is  the 
siege  of  Bastogne  during  the  Second  World  War.  On  December  20,  1944,  the  Germans 
laid  siege  at  the  town  of  Bastogne,  Belgium,  as  part  of  their  efforts  to  capture  Antwerp. 
While  the  siege  was  ongoing,  U.S.  Lt.  Col.  Creighton  Abrams,  who  later  commanded  U.S 
forces  in  Vietnam,  led  a  counter  attack  against  the  Germans,  and  succeeded  in  punching 
through  the  German  lines,  thereby  ending  the  seven-day  siege. 

In  the  case  of  a  cyber  attack,  the  equivalent  would  be  to  counter  hack  the  attacker 
responsible  for  the  cyber  attack,  instead  of  relying  on  more  passive  means  such  as  a 
perimeter  firewall  or  an  intrusion  prevention  system  to  filter  or  block  the  attacks. One 
of  the  earliest  examples  of  a  cyber  counter  attack  occurred  in  1998.  A  group  of  activists 
by  the  name  of  the  Electronic  Disturbance  Theater  (EDT)  had  launched  a  “web  sit-in” 
(DOS  attack)  against  a  Pentagon  website.  The  Pentagon  reacted  by  redirecting  the 
incoming  web  traffic  to  a  web  application,  which  subsequently  caused  the  attacker’s  web 
browsers  to  crash,  thereby  neutralizing  the  attacks. 

In  another  example,  during  the  World  Trade  Organization  (WTO)  Summit  in 
January  2000,  the  WTO  server  was  the  target  of  a  DOS  attack  by  Electrohippies  (E- 
hippies),  an  activist  group  based  in  the  United  Kingdom.  Conxion  Inc.,  the  company  at 
which  the  WTO  server  was  hosted,  was  able  to  trace  back  the  IP  addresses  to  the  E- 


Defense  Technical  Information  Center,  http://www.dtic.mi1/doctrine/iel/doddict/data/c/01 33 1  .html. 

Colonel  S.L.A  Marshall,  “Bastogne  The  First  Eight  Days,”  U.S.  Army  In  Action  Series,  The  Center 
of  Military  History,  http://www.historv.armv.mil/hooks/wwii/Bastogne/hast-fm.htm. 

Incidentally,  the  Pentagon  has  announced  a  new  cyher  strategy  in  that  computer  attacks  coming 
from  another  country  can  he  regarded  as  an  act  of  war,  and  that  it  reserves  the  right  to  respond  hy  kinetic 
means.  See  Siohhan  Gorman  and  Julian  Barnes,  “Cyher  Comhat:  Act  of  War,”  Wall  Street  Journal,  3 1  May 
2011,  http://online.wsi.eom/article/SB10001424052702304563104576355623135782718.html. 

Robert  Wildt,  “Should  you  Counter-Attack  when  Network  Attackers  Strike?”  Global  Information 
Assurance  Certification  Paper,  SANS  Institute,  13  December  2000. 
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hippies’  server.  Instead  of  filtering  the  ineoming  attaeks,  Conxion  redireeted  the  attaeks 
back  to  the  E-hippies  server,  and  was  able  to  disable  that  server  for  several  hours. 

Both  examples  show  how  counter  attacks  have  been  used  to  effectively  stop 
attacks.  Counter  attack  does  not  just  prevent  the  attacks  from  succeeding;  it  aims  to 
prevent  the  attacker  from  launching  further  attacks.  In  the  case  of  a  DDOS  attack  carried 
out  by  a  botnet  controlled  via  C&C  servers,  counter  attacks  could  be  carried  out  either 
against  the  C&C  servers  or  the  computer/network  of  the  attacker. 

This  is  identical  to  that  of  command  and  control  warfare  as  described  by  Martin 
Libicki  in  What  is  Information  Warfare!  In  conventional  warfare,  command  and  control 
systems  are  widely  used  to  enhance  battlefield  communications  and  effectiveness.  Libicki 
described  an  effective  way  to  cripple  the  enemy’s  command  and  control  warfare  system 
by  decapitating  the  enemy’s  command  structure  from  its  body  of  command  forces. In 
the  context  of  a  DDOS  attack  from  a  botnet  under  centralized  command  and  control,  a 
similar  approach  would  be  to  shut  down  the  C&C  servers.  Since  the  bots  receive  their 
instructions  from  the  C&C  servers,  doing  so  will  prevent  further  instructions  from 
propagating  to  the  bots.  It  would  also  aid  in  neutralizing  the  attack.  While  backup  C&C 
servers  may  surface,  this  process  may  be  repeated  until  all  C&C  servers  are  shut  down. 
An  additional  or  alternative  response  would  be  to  send  out  code  to  the  bots,  instructing 
them  to  be  idle.  Thereafter,  their  respective  ISPs  and  security  product  vendors  could  be 
involved  to  work  with  the  owners  to  remove  the  bots. 

If  a  sample  of  a  bot  code  can  be  obtained,  the  code  may  contain  the  IP  addresses 
or  domain  names  of  the  C&C  servers.  Alternatively,  the  bot  could  be  executed  in  a 
controlled  environment,  and  be  monitored  closely  as  to  where  it  tries  to  connect.  Doing 
so  can  also  reveal  the  whereabouts  of  the  C&C  servers.  However,  if  no  such  sample  is 
available,  exploitation  could  be  done  on  one  of  the  bots  involved  in  the  DDOS  attack. 
After  gaining  access  to  that  bot,  analysis  could  be  performed.  Once  the  IP  addresses  of 

Jayawal,  Vikas,  William  Yurcik,  and  David  Doss,  “Internet  Hack  Back;  Counter  Attacks  as  Self- 
Defense  or  Vigilantism?”  June  2002,  http://www.scribd.eom/doc/38380481/Internet-Hack-Back-Counter- 
Attacks-as-Self-Defense-or-Vigilantism. 

Martin  Libicki,  What  is  Information  Warfare?  Institute  for  National  Strategic  Studies,  National 
Defense  University,  August  1995,  http://www.ndu.edu/inss/actpubs/act003/a003ch03.html. 
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the  C&C  servers  were  diseovered,  an  attaek  eould  be  launehed  on  that  server  to  take  it 
offline.  Alternatively,  relevant  authorities  and  eorresponding  ISPs/owners  eould  be 
notified  so  that  the  server  eould  be  eleaned  up  and,  if  necessary,  seized  for  further 
investigations. 

A  recent  example  of  such  a  counter  initiative  is  the  taking  down  of  the  Coreflood 
botnet  by  the  FBI  in  April  201 1.^^  The  Coreflood  botnet  had  infected  over  two  million 
computers  around  the  world,  stealing  the  users’  credentials  (usernames  and  passwords), 
and  other  personal  and  financial  information.  After  obtaining  a  court  order,  the  FBI 
proceeded  to  seize  the  five  C&C  servers  and  take  down  the  twenty-nine  Internet  domain 
names  used  by  Coreflood.  With  control  over  the  C&C  servers,  the  FBI  also  arranged  for 
instructions  to  be  propagated  down  to  the  bots  that  effectively  placed  them  in  a  dormant 
state. 

In  cases  where  the  botnet’s  command  structure  is  based  on  a  peer-to-peer  (P2P) 
architecture  instead  of  centralized  C&C  servers,  the  above  operation  would  not  work. 
Instead,  other  forms  of  counter  attack  would  be  required.  However,  since  P2P  bots 
propagate  instructions  to  one  another  rather  than  retrieve  the  instructions  from  a  central 
C&C  server,  it  is  possible  to  conduct  a  man-in-the-middle  attack  and  intercept/manipulate 
the  communications  between  the  bots.  In  doing  so,  neutralizing  instructions  (such  as 
instructing  the  bots  to  enter  a  dormant  mode)  could  be  transmitted  to  other  bots.^^ 

Counter  attack  could  also  be  useful  as  a  form  of  deterrent.  As  Patrick  Morgan 
explained,  deterrence  refers  to  “efforts  to  avoid  being  deliberately  attacked  by  using 
threats  to  inflict  unacceptable  harm  on  the  attacker  in  response.”^^  He  added  that  such 
harm  could  involve  making  the  cost  of  attack  too  great  for  the  attacker  to  continue,  or  it 
could  be  in  the  form  of  retaliation.  In  the  context  of  a  cyber  attack,  retaliation  would 

Chris  Lefkow,  “U.S.  disables  Coreflood  botnet,  seizes  servers,”  PHYSORG.COM,  April  13,  2011, 
http://www.phvsorg.com/news/2011-04-disables-coreflood-botnet-seizes-servers.html. 

Felix  Leder,  Tillmann  Werner,  Peter  Martini,  “Proactive  Botnet  Countermeasures  -  An  Offensive 
Approach,”  NATO  Cooperative  Cyber  Defence  Centre  of  Excellence,  March  2009, 
http://www.ccdcoe.org/publications/virtualbattlefield/15  LEDER  Proactive  Coutnermeasures.pdf. 

Patrick  Morgan,  “Applicability  of  Traditional  Deterrence  Concepts  and  Theory  to  the  Cyber 
Realm,”  Proceedings  of  a  Workshop  on  Deterring  Cyber  Attacks:  Informing  Strategies  and  Developing 
Options  for  U.S.  Policy  (2010),  http://www.nap.edu/catalog/12997.html. 
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imply  a  counter  cyber  attack.  Therefore,  if  the  attacker  knew  that  there  could  be  a  counter 
attack  or  retaliation,  he  would  be  more  likely  to  be  deterred. This  is,  however, 
contingent  upon  the  defender’s  ability  to  pierce  through  the  attacker’s  veil  of  anonymity. 

3.  Preemptive  Strikes 

A  preemptive  strike  is  one  that  uses  “force  against  an  attack  that  is  believed  to  be 
imminent  based  on  evidence  that  hostile  action  has  begun  or  is  about  to  occur.”^^ 
counter  attack,  preemption  has  been  seen  throughout  military  history. por  example,  in 
1967,  Israel  believed  it  was  launching  a  preemptive  war  against  Egypt  when  the  latter 
massed  its  troops  on  Israel’s  borders. 

In  the  context  of  cyberspace,  a  preemptive  strike  can  be  described  as  “conducting 
an  attack  on  a  system  or  network  in  anticipation  of  that  system  or  networking  conducting 
an  attack  on  your  system.”^^  Assuming  a  scenario  where  a  state  (Blue)  has  gathered 
intelligence  that  a  hostile  state  (Red)  has  plans  to  mount  a  cyber  attack  against  it.  Blue 
can  launch  a  preemptive  cyber  operation  against  Red.  Doing  so  can  help  achieve  the 
following: 

1)  Cripple  the  enemy’s  attack  capability.  In  the  case  of  the  Six  Day  War  in  1967, 
the  moment  Israel  found  out  that  Egypt  had  been  building  up  its  troops  at  Israel’s  borders, 
Israel  launched  an  attack  against  the  Arabs.  The  preemptive  attack  by  the  Israeli  forces 
destroyed  nearly  four  hundred  Egypt-based  military  aircraft.^^  In  the  eyber  operation 
mentioned  above,  upon  penetrating  Red’s  networks.  Blue  can  cripple  Red’s  cyber  attack 
capability  through  the  disruption  of  Red’s  network. 


David  Clark  and  Susan  Landau,  “Untangling  Attribution,”  Proceedings  of  a  Workshop  on  Deterring 
Cyber  Attacks:  Informing  Strategies  and  Developing  Options  for  U.S.  Policy  (2010), 
http://www.nap.edu/catalog/12997.html. 

The  Best  Defense?,  Legitimacy  and  Preventive,  9. 

66  Ibid.,  70. 
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2)  Deterrence.  Upon  infiltrating  Red’s  network,  Blue  can  subtly  make  its  presence 
known,  thereby  alerting  Red  that  its  network  has  been  compromised.  Doing  so  might 
deter  Red  from  launching  an  attack  on  Blue.  This  is  described  by  W.  Earl  Boebert  in  the 
NRC  report,  as  the  “awareness  on  the  part  of  potential  attackers  that  such  “cyber 
patrolling”  was  being  conducted  and  would  in  and  of  itself  act  as  a  deterrent,  since  they 
would  be  faced  with  additional  security  tasks  as  well  as  the  uncertainty  as  to  the  degree  to 
which  they  may  themselves  have  been  penetrated  and  placed  at  risk.”^^ 

4.  Preventive  Strikes 

While  conceptually  a  preventive  strike  may  seem  similar  to  a  preemptive  strike, 
there  is  an  important  distinction.  As  Abraham  Sofaer  described,  a  preventive  strike  is  the 
“use  of  force  against  an  anticipated  attack  based  on  a  judgment  that  the  attacker  will  use 
existing  or  potential  means  to  attack  in  the  future,  or  to  engender  other  types  of  harm, 
including,  for  example,  harm  to  hostages,  attacks  by  non-state  actors,  or  the  mistreatment 
by  a  State  of  its  own  nationals. This  implies  that  such  an  attack  is  launched  before  any 
non-imminent  attack  or  threat  that  does  not  qualify  as  an  attack  under  international  law.^^ 

A  good  example  of  a  preventive  strike  occurred  in  1981,  when  Israel  launched  an 
attack  on  the  nuclear  reactor  at  Osirak,  in  Iraq.  At  that  time,  the  uranium-powered  reactor 
was  nearing  completion,  but  there  were  no  signs  of  its  being  stocked  with  nuclear  fuel. 
However,  Israel  claimed  that  the  reactor  would  be  capable  of  producing  devastating 
nuclear  weapons,  and  that  it  could  not  allow  such  an  enemy  to  develop  weapons  of  mass 
destruction  against  Israelis. 

With  a  similar  argument,  a  preventive  cyber  attack  can  be  launched  against  a 
hostile  actor  (both  state  and  non-state)  to  prevent  the  latter  from  acquiring  any  cyber 
offensive  capability.  It  can  also  achieve  the  similar  deterrent  effect  as  with  the  case  of  a 
preemptive  attack  mentioned  above.  That  is,  when  the  hostile  actor  realized  that  its 
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network  had  been  compromised,  it  might  think  twice  about  pursuing  cyber  attack 
capability.  However,  a  preventive  cyber  attack  can  also  be  extended  to  a  non-cyber 
related  offensive  capability.  A  good  example  of  this  would  be  Stuxnet,  the  first  computer 
worm  targeted  at  industrial  systems,  or  more  specifically  at  nuclear  facilities. While 
Stuxnet  spread  to  computers  around  the  world,  the  infection  was  concentrated  mainly  in 
Iran. p  appears  that  the  creator  of  Stuxnet  intended  to  use  the  worm  to  prevent  the 
buildup  of  nuclear  weapon  capability  in  Iran.  President  Mahmoud  Ahmadinejad  also 
publicly  acknowledged  that  Stuxnet  had  disrupted  Iran’s  nuclear  program.^^  As  it  seems, 
the  Stuxnet  has  already  encouraged  emulation  by  others,  as  evident  by  the  Duqu 
malware.  As  reported  by  Symantec,  Duqu  has  been  labeled  as  a  precursor  to  the  next 
Stuxnet.^^ 

C.  LIMITATIONS  AND  CONSIDERATIONS 

The  typologies  mentioned  in  this  chapter  are  not  without  their  limitations.  First  of 
all,  such  measures  are  very  controversial  and  may  violate  certain  international  laws. 
Secondly,  even  if  such  measures  can  be  justified,  there  are  technical  challenges. 

I.  Technical  Aspects 

One  of  the  key  success  factors  in  utilizing  active  cyber  defenses  is  the  ability  to 
launch  a  cyber  attack.  For  the  counter  strike  to  be  successful,  the  active  defender  needs  to 
be  able  to  exploit  vulnerabilities  in  the  systems  used  by  the  attacker.^^  While  the  attacker 
is  likely  to  be  using  computers  that  he  has  previously  hacked  (intermediate  computers), 
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he  is  also  likely  to  have  patched  any  known  vulnerabilities  on  those  intermediate 
computers. As  such,  it  could  take  massive  efforts  to  research  a  new  vulnerability  that 
would  allow  the  counter  attack  to  succeed.  This  poses  a  big  challenge  because  such 
research  can  be  time  consuming.  If  it  takes  too  long,  it  would  delay  the  counter  attack 
resulting  in  more  extensive  damages  to  the  defender.  Furthermore,  this  delay  would  also 
create  a  wider  window  of  opportunity  for  the  attacker  to  mask  his  traces  and/or  further 
secure  the  intermediate  computers.  Just  as  in  the  siege  of  Bastogne,  should  Lt.  Col. 
Abrams  have  delayed  his  counter  attack  by  a  few  more  days,  the  allies’  casualties  would 
have  risen  considerably.  The  Germans  could  also  have  had  reinforcements  in  place, 
thereby  strengthening  their  positions  to  repel  the  counter  attack. 

One  possibility  to  address  the  timeliness  issue  is  to  allocate  more  resources  to 
discovering  vulnerabilities.  Unfortunately,  that  in  itself  is  a  challenge,  as  there  is  a  severe 
shortage  of  cyber  security  experts.®^  The  research  could  be  performed  in  advance,  but  this 
requires  identifying  the  systems  used  by  potential  adversaries.  Such  information  could  be 
acquired  from  exploitation  or  other  sources  of  intelligence  and  then  used  to  steer  the 
research,  resulting  in  readiness  for  a  counter,  preemptive,  or  preventive  attack. 

2.  Legal  Aspects 

Assuming  technical  concerns  are  overcome,  there  are  still  legal  issues  relating  to 
the  use  of  active  defenses.  Traditionally,  active  defenses  have  been  controversial.  For 
example,  after  the  Israeli  bombing  of  the  Osirak  nuclear  reactor  in  June  1981,  there  was  a 
broad  agreement  among  various  nations  that  the  bombing  was  unacceptable.  The  Reagan 
administration  condemned  the  attack  and  the  British  government  claimed  that  the  action 
had  violated  international  law.^^  Should  a  state  carry  out  a  cyber  attack  against  another 
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state  on  the  basis  of  preventing  a  potential  threat  from  oeeurring,  it  would  likely  draw 
eritical  serutiny  from  nations  around  the  world. 

Based  on  the  International  Law  of  Armed  Confliet  (LOAC),  a  state  must  have 
“good”  reasons  for  using  foree  or  violenee  against  another  state. *2  Articles  39  and  42  of 
the  UN  Charter  “permit  the  Security  Council  to  authorize  uses  of  force  in  response  to 
‘any  threat  to  the  peace,  breach  of  the  peace,  or  act  of  aggression’  in  order  to  ‘maintain  or 
restore  international  peace  and  security.’”  Article  51  adds  that  “Nothing  in  the  present 
Charter  shall  impair  the  inherent  right  of  individual  or  collective  self-defence  if  an  armed 
attack  occurs... ”83  Thus,  in  the  cyber  context,  when  would  it  be  legal  for  a  nation  to 
launch  a  cyber  attack  (counter  attack,  preventive  attack,  or  preemptive  attack)  against 
another?  What  would  the  “good”  reasons  be?  Assuming  the  reasons  were  adequate,  what 
would  the  rules  that  govern  the  use  of  a  cyber  attack  be? 

What  about  exploitation  of  the  intermediate  system?  In  the  case  of  Coreflood,  the 
FBI,  after  obtaining  the  court  order,  seized  several  of  the  servers.  Thereafter,  they  were 
able  to  fully  analyze  the  hardware  legally.  However,  what  would  happen  when  an 
intermediate  system  was  located  in  a  foreign  country?  This  could  be  a  complex  issue 
because  different  countries  would  have  different  laws,  interests,  and  even  capacity  to 
handle  the  situation. 84  Or  perhaps  the  foreign  country  could  be  on  unfriendly  or  non- 
cooperative  terms.  The  Council  of  Europe’s  Convention  on  Cybercrime  aims  to 
harmonize  state  laws  and  foster  inter-state  cooperation,  but  not  all  countries  have  signed 
on  or  agreed  to  its  principles. 85 

Given  these  factors,  when  would  it  be  legal  to  proceed  with  an  exploitation?  And 
in  the  process  of  the  exploitation,  who  will  be  held  responsible  should  the  system  become 
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unstable?  Also,  legitimate  users  of  that  system  eould  have  their  privaey  violated.  For 
example,  sniffers  eould  be  deployed  to  analyze  the  network  traffie  passing  through  the 
system  and  doeuments  eould  be  extraeted  as  part  of  a  forensie  investigation.  The  sniffers 
could  reveal  the  users’  credentials  to  other  systems,  and  the  documents  might  contain 
private  information.  Proceeding  with  such  exploitation  could  possibly  violate  the  privacy 
of  individuals  or  other  domestic  laws  of  that  country.  As  such,  could  legal  actions  be 
taken  against  the  party  responsible  for  the  exploitation/investigation?  Furthermore  as 
Kesan  and  Hayer  cautioned  in  their  paper,  Mitigative  Counterstriking,  such  hostile 
actions  could  escalate  into  kinetic  armed  conflict. 

D.  CONCLUSION 

The  discussion  presented  in  this  chapter  has  shown  that  active  cyber  defenses  can 
be  useful  in  defending  against  cyber  attacks.  They  can  help  address  attribution;  deter 
potential  attackers;  and  mitigate,  preempt,  and  prevent  cyber  attacks.  However,  this  does 
not  imply  that  active  cyber  defenses  can  replace  passive  defenses.  Passive  defenses  are 
still  required  as  part  of  an  overall  cyber  defense  posture.  For  example,  passive  defenses 
can  be  used  to  block  the  attacker,  while  active  defenses  can  be  used  to  go  after  the 
attacker,  thereby  preventing  him  from  launching  further  attacks. 

The  use  of  active  defenses  is  likely  to  continue  to  generate  controversy, 
particularly  due  to  the  unanswered  questions  listed  earlier.  Regardless,  active  cyber 
defenses  will  need  to  be  executed  within  the  context  of  an  overall  strategy  that  takes  into 
account  the  above  issues  to  ensure  that  the  benefits  outweigh  the  costs  and  risks.  Active 
defenses  are  a  double-edged  sword  and  have  the  potential  to  do  more  harm  than  good  if 
not  implemented  with  utmost  care  and  in  adherence  to  laws  and  ethical  principles. 
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IV.  CASE  STUDIES 


A.  INTRODUCTION 

This  chapter  examines  three  of  the  more  prominent  eases  of  eyber  attaeks  in 
reeent  history.  They  are  GhostNet,  the  eyber  espionage  ineident  that  affeeted  103 
countries;*^  massive  eyber  attaeks  against  Estonia;*^  and  Stuxnet,  the  first  computer 
worm  targeted  at  industrial  sy stems. The  ehapter  will  deseribe  the  attaeks  and  diseuss 
how  aetive  eyber  defense  eould  have  played  a  part  in  defending  against  them. 

B.  GHOSTNET 

I.  Overview 

GhostNet  was  touted  as  the  largest  spying  operation  to  have  been  uncovered  at  the 
time,  based  on  the  number  of  affected  countries. A  ten-month  investigation  by  the 
Information  Warfare  Monitor  (IWM)  discovered  that  GhostNet  had  infeeted  1,295 
computers  in  103  countries.  As  many  as  thirty  percent  of  these  computers  were  deemed 
high-value  targets.  They  included  computers  belonging  to  various  ministries  of  foreign 
affairs  and  embassies. The  Figure  4  depiets  the  geographieal  loeations  of  the 
compromised  eomputers. 
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The  Vast  Reach  of  ‘GhostNet’ 

Researchers  have  detected  an  intelligence  gathering  operation  involving  at  least  1 ,295  compromised 
computers.  Below,  the  locations  of  347  of  the  compromised  machines,  many  of  which  were  tracked  to 
diplomatic  and  economic  government  offices  of  South  and  Southeast  Asian  countries. 


TAIWAN 


Circles  are  scaled  in  proportion 
to  me  number  of  compromised 
computers  found  in  each  country. 
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Figure  4.  The  vast  reaeh  of  GhostNet^^ 


2.  The  Investigation 

The  primary  mode  of  infection  in  GhostNet  was  social  engineering.  The  attacker 
first  sent  an  e-mail  with  an  attachment  to  the  target  with  an  appealing  message  to  entice 
the  target  to  open  the  attachment.  Once  the  target  opened  the  attachment,  the  target’s 
computer  proceeded  to  download  and  install  the  GhOst  RAT  malware. ^3  GhOst  RAT  is  a 
Remote  Access  Trojan  that  allowed  the  attacker  to  have  near  unrestricted  access  to  the 
infected  computers. The  Trojan  connected  to  command  and  control  servers  on  the 
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Internet  to  retrieve  instructions.  The  instructions  could  command  the  software  to  transmit 
any  files  to  and  from  a  remote  computer,  activate  the  webcam  or  microphone,  or  other 

directives.  95 

By  monitoring  the  computers  in  Dharamsala  and  at  various  Tibetan  missions, 
IWM  was  able  to  determine  the  IP  addresses  of  the  servers  hosting  GhOst  RAT  and  for 
command  and  control.  With  further  analysis,  four  hosting  servers  and  six  command  and 
control  servers  were  mapped  out.  Three  of  the  four  hosting  servers  were  located  in  China. 
The  fourth  was  located  in  the  U.S.  Five  of  the  six  command  and  control  servers  were 
located  in  China,  with  the  sixth  in  Hong  Kong. 96 

While  the  majority  of  the  command  and  control  servers’  IP  addresses  were  traced 
back  to  China,  the  Chinese  government  denied  any  involvement.97  Without  concrete 
evidence,  identity  of  the  perpetrator  remains  a  problem.  And  as  IWM  rightfully  pointed 
out,  GhostNet  “could  have  been  conducted  by  a  state  other  than  China,  but  using  servers 
within  China  for  strategic  purposes. ”98  Thus,  despite  the  in-depth  analysis  by  IWM,  it  is 
uncertain  as  to  the  identity  of  the  true  culprit. 

3.  How  Could  Active  Cyber  Defenses  Have  Helped  in  This  Scenario? 

In  this  scenario,  active  cyber  defense  might  be  able  to  do  what  IWM  failed  to  do, 
that  is,  to  reconstruct  the  attack  path  and  identify  the  actual  attacker.  The  IWM  mentioned 
in  its  report  that  its  network  trace  had  ended  at  the  location  of  the  command  and  control 
servers,  and  that  it  was  not  conclusive  as  to  who  was  behind  GhostNet.  As  such,  a  more 
affirmative  way  to  deduce  the  attacker’s  identity  would  have  been  to  monitor  the 
command  servers  and  then  determine  who  was  uploading  the  instructions.  This  can  be 
done  in  two  ways.  First  would  be  to  involve  the  authorities  and  service  providers  of  the 
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country  where  the  C&C  servers  are  located.  This  approach  would  be  similar  to  that  taken 
with  Coreflood,  where  the  FBI  first  obtained  a  court  order  before  seizing  the  servers. 
With  access  to  the  servers,  logs  and  other  data  on  the  servers  can  be  analyzed  to  help 
trace  and  identify  the  person  who  uploaded  the  instructions  for  GhOst  RAT.  In  one 
instance,  IWM  found  that  stolen  files  were  uploaded  to  a  C&C  server  located  in  Beijing, 
China.  In  a  situation  when  cooperation  from  the  authorities  and/or  service  providers  is 
lacking,  this  C&C  server  could  have  be  exploited.  For  example,  hacking  into  the  C&C 
server  would  allow  data  to  be  examined  and  analyzed  that  would  otherwise  be  impossible 
to  aequire.  Thereafter,  the  attacker  could  be  traeed  in  the  same  manner  described  above. 

Another  way  to  conduct  cyber  exploitation  is  to  adopt  the  original  concept  of  the 
Trojan  Horse  as  used  by  the  Greeks  when  they  wanted  to  gain  entrance  into  Troy.ii^  In 
the  cyber  context,  backdoors  could  be  embedded  in  seemingly  important  documents 
located  within  the  computers  infected  by  GhostRat.  When  the  attaeker  retrieved  and 
opened  these  documents,  his  computer  would  be  compromised.  Thereafter  instructions 
could  be  sent  to  the  backdoor  to  extract  system  and  network  information,  to  be  used  to 
determine  the  location  and  identity  of  the  attacker.  Of  course,  this  will  only  work  if  the 
attacker  opens  the  documents  and  the  backdoor  is  successfully  installed.  Subsequently, 
Internet  access  is  required  in  order  for  the  information  to  be  sent  out. 

C.  CYBER  ATTACK  ON  ESTONIA 

1.  Overview 

In  April  2007,  Estonia  experienced  a  massive  cyber  attack  that  nearly  shut  down 
the  nation’s  digital  infrastructure.  The  attack  lasted  from  April  27,  2007,  to  May  18, 
2007,  and  occurred  in  parallel  to  the  rioting  in  the  streets  as  part  of  a  protest  against  the 
Estonian  government  for  relocating  a  Soviet-era  Second  World  War  memorial.  1^2  while 
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the  media  described  this  attack  as  “the  first  war  in  cyberspace,”  ^  ^3  others  termed  it  a 
“cyber  riot.”^^'^  Regardless,  the  impact  was  significant  due  to  Estonia’s  high  dependency 
on  the  Internet.  Online  sites  belonging  to  various  government  agencies,  newspapers, 
banks,  and  Internet  service  providers  were  severely  disrupted  during  this  period. 

The  attacks  were  carried  out  in  four  waves  and  consisted  of  DDOS  and  web 
defacement  attacks. The  government  targets  included  the  Estonian  Government 
Briefing  Room,  the  Estonian  Ministry  of  Defense,  leading  political  parties,  and  the 
parliament.  The  private  sector  targets  included  two  of  the  largest  banks  in  Estonia,  three 
news  organizations,  and  telephone  exchanges. Notably,  97  percent  of  Estonians  are 
dependent  on  e-banking,  further  signifying  the  seriousness  of  the  attack, 

2.  Responding  to  the  Attacks 

The  Estonian  CERT,  system  administrators,  and  top  IT  experts  worked  together  to 
respond  to  the  attack.  The  first  technical  response  was  to  increase  the  bandwidth  or 
throughput  capacity  to  the  targets  so  they  could  handle  more  traffic,  By  May  10,  2007, 
the  bandwidth  capacity  for  the  Estonian  government  networks  had  increased  several 
times  above  its  regular  capacity.  Apart  from  this,  other  technical  measures  were  in  place 
as  well.  Security  patches  were  installed;  firewall  rules  configured  to  filter  out  the 
malicious  traffic;  external  servers  blocked,  along  with  other  measures.  However,  that  did 


103  Mark  Landler  and  John  Markoff,  “Digital  Fears  Emerge  After  Data  Siege  in  Estonia,”  New  York 
Times,  29  May  2007,  http://www.nvtimes.eom/2007/05/29/technologv/29estonia.html. 

Bill  Brenner  “Black  Hat  2007:  Estonia  Attacks  Were  A  Cyher  Riot,  Not  Warfare,”  3  August  2007, 
http://searchsecuritv.techtarget.eom/news/1266728/Black-Hat-2007-Estonian-attacks-were-a-cvher-riot- 

not-warfare. 

105  “International  Cyher  Incidents:  Legal  Considerations,”  19-20. 

“Emerging  Cyher  Threats  and  Russian  Views  on  Information  Warfare  and  Information 
Operations,”  40. 

Tom  Espiner,  “Estonia’s  Cyherattacks:  Lessons  Learned,  A  Year  On,”  ZDNet,  1  May  2008, 
http://www.zdnet.co.uk/news/securitv-threats/2008/05/01/estonias-cvberattacks-lessons-learned-a-vear-on- 

39408158/. 

108  “International  Cyber  Incidents:  Legal  Considerations,”  24. 


35 


not  stop  all  the  attacks.  It  was  reported  that  the  attackers  managed  to  obtain  inside 
information  on  the  attack  and  were  able  to  adjust  their  attacks  to  overcome  the 
defenses. 

Other  responses  included  support  coming  from  the  international  community.  For 
example,  U.S.  governmental  institutions  tried  to  help  locate  and  shut  down  various 
sources  of  attack,  no  However,  this  was  not  an  easy  task.  Arbor  Networks  reported  that 
the  attacks  originated  from  all  over  the  world  instead  of  from  a  few  locations. m  The 
Estonian  Informatics  Centre,  which  was  responsible  for  Estonia’s  information  systems 
and  the  Internet,  confirmed  the  attacks  were  from  as  many  as  178  countries. m  Also,  the 
attackers  intentionally  moved  the  C&C  servers  to  countries  that  were  on  unfriendly  terms 
with  Estonia,  thereby  preventing  any  potential  cooperation  in  stopping  the  attacks  or 
apprehending  the  culprits.  ^3  As  a  result,  not  all  the  C&C  servers  used  by  the  botnets 
could  be  shut  down. 

Toward  the  end  of  May  2007,  the  attacks  gradually  stopped.  This  came  about  as 
news  spread  that  the  criminals  responsible  for  the  attacks  were  being  brought  to 
justice.  11'^  This  was  confirmed  when  NATO  reported  that  the  attackers  had  stopped  their 
attacks  deliberately  rather  than  being  shut  down.i^^ 

3.  How  Could  Active  Cyber  Defenses  Have  Helped  in  This  Scenario? 

The  initial  wave  of  attacks  was  traced  to  individuals  with  Russian  nationalist 
sympathies  who  carried  out  the  attacks  by  following  instructions  posted  on  various 
Internet  forums  and  websites.  Eor  the  individuals  who  lacked  the  sophistication  to 

^09  “Emerging  Cyber  Threats  and  Russian  Views  on  Information  Warfare  and  Information 
Operations,”  41. 

^  “International  Cyber  Incidents:  Legal  Considerations,”  24. 

m  Ibid.,  23. 

^  Charles  Clover,  “Kremlin-Backed  Group  Behind  Estonia  Cyber  Blitz,”  Financial  Times,  1 1  March 
2009,  http://www.ft.eom/cms/s/0/57536d5a-0ddc-l  lde-8ea3-0000779fd2ac.html#axzzlXqpZTRzc. 

^^3  “International  Cyber  Incidents:  Legal  Considerations,”  28. 

1 14  Ibid.,  24. 
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spoof  their  IP  addresses,  passive  defenses  such  as  auditing  the  logs  sufficed  to  trace  their 
identities.  As  for  the  more  experienced  perpetrators,  access  to  the  intermediate  computers 
used  for  laundering  their  network  traffic  was  needed  in  order  to  trace  them.  For 
computers  located  in  the  less  friendly  countries,  cyber  exploitation  might  have  been  used 
to  gain  access.  Thereafter,  with  more  analysis,  subsequent  cyber  attacks  could  be 
launched  to  shut  down  the  attackers’  systems.  If  the  computers  were  located  in  friendly 
countries,  the  computers  could  be  seized  and  analyzed  through  legal  means. 

Subsequent  waves  of  attacks  were  observed  to  be  highly  coordinated  and  had 
central  command  and  control  features.  As  mentioned  in  chapter  three,  one  way  to  stop 
such  attacks  is  to  take  down  the  C&C  servers.  If  they  are  found  to  be  located  in  a 
cooperative  country,  the  approach  against  the  Coreflood  botnet  can  be  adopted.  If  not, 
cyber  exploitations  and  attacks  could  be  used  to  try  to  shut  down  the  attacks.  For 
example,  after  obtaining  the  IP  address  of  an  attacking  computer  from  the  firewall  logs, 
that  attacking  computer  could  be  exploited.  After  that,  a  thorough  analysis  on  that 
computer  could  be  conducted,  potentially  revealing  the  IP  address  of  the  C&C  server. 
Thereafter,  the  C&C  server  can  be  exploited  so  as  to  determine  the  culprit  responsible  for 
the  attack.  To  stop  further  attacks,  the  server  can  be  shutdown  through  a  cyber  attack. 

Several  of  the  IP  addresses  involved  in  the  attack  were  traced  to  Russia,  with 
some  of  them  belonging  to  Russian  state  institutions. However,  given  that  the 
computers  themselves  could  have  been  compromised  and  under  the  control  of  a  botnet 
owner,  there  was  insufficient  evidence  to  determine  the  true  culprit.  While  the  Russian 
government  was  accused  of  the  attacks,  it  denied  allegations. ^ 20  However,  the  true 
attacker  may  have  been  determined  if  the  attack  computers  in  Russia  could  have  been 
examined  for  further  analysis.  Of  course,  that  would  have  required  cooperation  from  the 
Russian  ISPs  and  authorities.  But,  if  that  were  lacking,  the  computers  could  have  been 
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exploited  remotely  so  that  the  analysis  eould  be  earried  out.  Likewise,  botnets  loeated 
elsewhere  and  involved  in  the  attaeks  eould  be  approaehed  in  the  same  manner. 

Another  possibility  of  employing  active  cyber  defense  in  this  scenario  would  be  to 
tamper  with  the  script  used  for  the  cyber  attacks.  As  reported,  a  downloadable  batch  of 
scripts  designed  to  ping  flood  Estonian  websites  were  posted  to  several  Russian  language 
message  boards. 121  Given  the  lack  of  cooperation  from  Russia,i22  the  sites  hosting  these 
message  boards  could  have  been  hacked.  Thereafter  the  script  could  be  modified  so  that  it 
would  do  something  instead  of  launching  the  attack.  At  the  same  time,  the  sites  could  be 
monitored  to  track  the  attacker’s  whereabouts. 

D.  STUXNET 

1.  Overview 

The  first  of  its  kind,  Stuxnet  is  a  sophisticated  computer  worm  that  targets 
industrial  control  systems.  It  was  first  discovered  on  computers  in  Iran  by  VirusBlokAda, 
an  IT  security  firm  based  in  Belarus,  in  June  2010.^23  However,  from  the  in-depth 
analysis  by  Symantec,  the  worm  was  confirmed  to  have  existed  at  least  one  year  prior.  124 
The  worm  spreads  by  exploiting  several  software  vulnerabilities  in  the  Microsoft 
Windows  operating  systems,  and  is  capable  of  spreading  via  removable  devices  (such  as 
USB  drives).  After  infecting  a  new  computer,  the  worm  can  contact  a  command  and 
control  server  for  any  instructions,  including  upgrading  itself.  This  worm  was  designed  to 
locate  specific  industrial  control  systems  and  modify  the  code  on  the  corresponding 
Siemens  programmable  logic  controllers  (PECs)  for  malicious  purposes.  1 25  Some  sources 
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have  suggested  that  Stuxnet  was  designed  to  sabotage  Iran’s  Bushehr  nuclear  reactor. 
Others  suggested  that  Stuxnet  targeted  the  nuclear  facility  at  Natanz,  due  to  its  particular 
configuration.  127  As  reported  by  Symantec,  Stuxnet  sought  out  very  specific  industrial 
control  systems,  and  60  percent  of  the  100,000  infected  computers  were  located  in 

Iran.  128 


2.  How  Could  Active  Cyber  Defenses  Have  Helped  in  This  Scenario? 

Since  Stuxnet  was  discovered,  several  resources  have  been  made  available  to 
guide  others  in  terms  of  defending  against  industrial  control  system  attacks.  1 29  However, 
they  are  passive  in  nature,  and  may  not  be  sufficient  in  determining  the  identity  of  the 
attacker  as  discussed  in  the  earlier  chapter.  As  with  the  other  cases  mentioned  above, 
active  cyber  defenses  could  have  helped  address  the  issue  of  attribution.  While  Iranian 
intelligence  claimed  that  enemy  spy  services  were  responsible  for  Stuxnet,  there  is 
inadequate  evidence  to  prove  this.  As  published  by  Symantec,  several  references  within 
the  Stuxnet  code  could  simply  have  been  misdirection  on  the  part  of  the  attackers. i^o 
Apart  from  the  references,  Symantec  found  that  the  command  and  control  servers  used  by 
Stuxnet  were  located  in  Malaysia  and  Denmark.  i3i  These  servers  could  have  been  seized 
or  exploited  via  cyber  means  to  gain  insight  to  the  attackers.  If  the  identity  of  the 
attackers  could  be  confirmed,  appropriate  legal  and/or  political  actions  could  follow. 
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Another  possible  active  cyber  defense  for  this  case  is  in  the  form  of  cyber  counter 
attack.  Based  on  the  study  by  Symantec,  there  was  a  possible  attack  scenario  in  which  an 
early  version  of  Stuxnet  or  other  malicious  binary  would  steal  and  upload  the  industrial 
control  system  (ICS)  schematics  from  compromised  systems  to  some  servers. ^^2 
Thereafter,  the  attacker  would  develop  a  newer  version  of  Stuxnet,  tailored  specifically 
for  the  ICS  facility. 

In  this  setting,  special  Trojans  could  be  embedded  in  the  documents  containing 
the  schematics.  When  the  documents  are  accessed  on  a  friendly  computer,  the  Trojan  will 
not  take  any  actions.  (Unique  signatures  could  be  hidden  within  the  computers  of 
legitimate  users  thereby  allowing  the  Trojan  to  identify  them  as  friendly  computers.  Any 
other  computers  accessing  the  document  will  then  be  deemed  as  hostile.)  However,  if  the 
documents  are  accessed  on  a  hostile  computer,  the  Trojan  will  become  active.  It  will 
capture  system  and  network  information,  and  send  it  back  to  the  investigators  alerting 
them  of  the  compromise.  This  information,  together  with  various  documents  extracted 
from  the  hostile  computer,  can  assist  in  identifying  the  attacker. 

In  addition,  some  of  the  documents  with  the  ICS  schematics  could  contain 
misleading  or  false  information.  When  attackers  try  to  interpret  the  information,  they  will 
be  led  astray. 

Regardless,  Stuxnet  has  demonstrated  a  new  threat  to  ICS.  As  Ralph  Langner,  a 
well-respected  expert  in  industrial  control  systems  security,  pointed  out,  “The  problem  is 
not  Stuxnet.  Stuxnet  is  history.  The  problem  is  the  next  generation  of  malware  that  will 
follow. ”133  Stuxnet  has  shown  the  world  that  it  is  possible  to  cripple  industrial  control 
systems,  and  that  is  an  attractive  option  for  hostile  states  (and  non-states  alike).  The 
Poneman  Institute  reported  that  the  majority  of  companies  in  the  energy  sector  are  not 
prepared  to  defend  against  such  threats. 1 34  To  make  things  worse,  the  source  code  of 
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Stuxnet  has  been  made  available  on  the  Internet.  13^  This  implied  that  new  and  perhaps 
even  more  sophisticated  variants  of  Stuxnet  could  be  created  with  greater  ease.  In  view  of 
this,  it  is  crucial  to  strengthen  measures  to  deter  potential  attackers.  As  Patrick  Morgan 
highlighted,  a  good  cyber  deterrence  posture  needs  to  include  “capacities  for  suitable 
retaliation. ”13®  Cyber  exploitation  could  contribute  to  attributing  the  attacker,  while  cyber 
counter  attack  would  be  a  suitable  retaliation.  137 

E.  CONCLUSION 

This  chapter  has  shown  how  active  cyber  defenses  could  have  made  a  difference 
in  three  major  incidents,  particularly  in  the  areas  of  attribution.  Should  there  be  sufficient 
intelligence  suggesting  an  imminent  threat,  a  corresponding  preemptive  cyber  attack  can 
be  launched  against  the  hostile  state,  thereby  preventing  the  cyber  attack. 

Active  cyber  defenses  could  be  employed  in  ways  similar  to  that  of  espionage  and 
covert  actions  conducted  by  intelligence  agencies.  For  example,  according  to  Dr.  David 
Perry  from  the  University  of  Santa  Clara,  the  CIA  has  recruited  agents  in  foreign 
countries  to  help  provide  intelligence,  as  well  as  plot  assassinations  of  various  foreign 
leaders.  138  in  a  cyber  context,  the  computer  network  of  a  hostile  state  could  be  exploited 
and  network  sensors  installed.  These  sensors  could  have  functionalities  similar  to  those  of 
an  intrusion  detection  system  or  network  packet  sniffer.  When  the  sensors  detect 
activities  that  suggest  the  threat  of  a  cyber  attack,  the  network  or  corresponding  servers 
could  be  disrupted  and/or  shutdown. 

While  such  active  cyber  defenses  may  be  considered  inappropriate,  some  have 
argued  that  these  are  acceptable  as  they  are  part  of  self-defense.  One  such  individual  is 
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Professor  Jay  Kesan  of  the  University  of  Illinois  at  Urbana-Champaign.  In  his 
forthcoming  paper  “Mitigative  Counterstrike:  Self-Defense  and  Deterrence  in 
Cyberspace,”  he  argues  that  self-defense  “is  accepted  as  an  essential  element  of 
protection  in  virtually  all  other  legal  contexts,  and  should  be  preserved  in  the  cyber 
realm.”i39  in  the  case  of  the  cyber  attacks  on  Estonia,  this  argument  suggests  that  Estonia 
could  have  conducted  cyber  exploitation  and/or  attacks  on  the  Russian  ISPs  (where  the 
attacks  were  last  traced  to)  as  a  form  of  self-defense. 
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V.  CONCLUSION 


A.  SUMMARY 

This  thesis  has  studied  different  types  of  cyber  attacks  and  the  limitations  of 
existing  passive  defenses  against  them.  It  has  proposed  augmenting  these  passive 
measures  with  active  ones  and  explored  typologies  of  active  cyber  defenses  and  the 
benefits  they  can  offer  to  an  overall  cyber  defense  posture.  Three  prominent  cases  of 
cyber  attacks  were  used  to  illustrate  how  active  cyber  defenses  could  have  made 
differences  in  defending  against  the  attacks. 

Active  cyber  defenses  are  not  meant  to  replace  passive  defenses.  Rather,  they  are 
meant  to  complement  the  latter,  and  should  be  considered  in  any  national  level  cyber 
program.  This  concluding  chapter  summarizes  the  benefits  and  typologies  of  active  cyber 
defense.  It  briefly  lays  down  some  technical  and  legal  considerations,  and  then  highlights 
some  areas  of  possible  future  research. 

B.  ACTIVE  CYBER  DEFENSE 

Active  cyber  defenses  may  one  day  offer  strategic  advantages  similar  to  those  for 
active  defenses  in  conventional  warfare.  They  can  help  establish  attribution  of  a  cyber 
attack,  deter  attacks  by  creating  the  fear  of  retaliatory  attacks  in  potential  attackers,  or 
even  preempt  an  imminent  attack.  The  typologies  of  active  cyber  defense  are  cyber 
exploitation,  counter  cyber  attack,  preemptive  cyber  attack,  and  preventive  cyber  attack. 

Cyber  exploitation  refers  to  the  hacking  of  third  party  or  the  attackers’  computers 
and  networks  for  the  purpose  of  gaining  information  about  the  attack,  including  the 
source  of  the  attack,  the  methods  and  tools  used,  the  scope  of  the  attack,  and  data  that 
may  have  been  taken.  Cyber  exploitation,  when  carefully  carried  out,  need  not  disrupt 
target  computers  and  may  even  goes  undetected. 

Counter  cyber  attack  refers  to  the  launching  of  a  cyber  attack  against  an  attacker. 
The  objective  could  be  to  interrupt  an  attack  in  progress  and  limit  its  effects.  The  counter 
attack  could  take  the  form  of  DOS  attack  or  intrusion  into  the  attacker’s  network. 
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Alternatively,  if  the  attacker  is  stealing  sensitive  documents,  it  could  take  the  form  of 
booby-trapping  the  documents  with  a  remote-controlled  Trojan,  which  then  could  be  used 
to  collect  information  about  the  attacker  and/or  shut  down  the  attacker’s  computer  or 
network. 

Preemptive  cyber  attack  refers  to  the  launching  of  a  cyber  attack  against  an 
adversary  in  anticipation  of  an  imminent  cyber  attack.  Preventive  cyber  attack  refers  to 
the  launching  of  a  cyber  attack  against  an  adversary  based  on  a  judgment  that  the 
adversary  will  be  attacking. 

C.  CONSIDERATIONS 

I.  Technical  Considerations 

In  order  to  employ  active  cyber  defenses  successfully,  the  defender  must  have  the 
capability  to  launch  a  cyber  exploitation  or  cyber  attack.  Unless  the  defender  is  launching 
a  simple  DOS  attack,  this  means  that  the  defender  must  be  able  to  exploit  some 
vulnerability  on  the  attacking  computer  or  network.  To  improve  the  chances  of  success,  it 
would  be  best  to  exploit  a  zero-day  vulnerability  since  known  vulnerabilities  may  have 
been  patched  on  the  target  system.  However,  exploiting  a  zero-day  vulnerability  requires 
either  an  internal  research  program  or  access  to  researchers  who  are  willing  to  provide 
information  and  exploit  tools  for  zero-days  on  a  confidential  and  sole-source  basis. 
Finding  zero-day  vulnerabilities  can  be  resource  intensive,  particularly  when  the 
researchers  do  not  have  access  to  the  software  code  and  need  to  reverse  engineer  the 
software.  Even  if  the  software  code  is  available,  the  process  of  code  auditing  can  be 
onerous  due  to  the  lengthy  lines  of  code  and  vast  numbers  of  software  and  hardware 
systems  to  investigate.  To  make  matters  worse,  the  process  needs  to  be  ongoing.  New 
versions  of  software  and  operating  systems  are  rolled  out  periodically,  and  it  is  uncertain 
when  they  will  be  adopted.  When  that  happens,  previously  found  zero-day  vulnerabilities 
would  likely  be  rendered  useless.  While  there  is  a  market  for  buying  and  selling  zero-day 
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vulnerabilities,  it  is  still  important  for  any  government  to  have  its  own  capability,  or  a 
set  of  dedicated  researchers  who  are  working  toward  it.  The  reason  is  that  the  government 
would  need  to  verify  the  zero  vulnerability  (or  exploit)  it  intends  to  purchase,  as  well  as 
subsequently  develop  or  customize  the  exploit  to  suit  its  needs.  Also,  without  the 
dedicated  resource,  it  may  not  be  able  to  react  promptly  when  faced  with  a  cyber  attack. 

To  limit  the  impact  of  a  cyber  attack,  it  is  crucial  to  stop  the  attack  quickly.  This 
means  that  the  defender  must  have  cyber  tools  for  active  defense,  including  zero-day 
exploit  tools,  ready  at  hand,  along  with  the  knowledge  about  how  to  use  them.  In  an 
analogy  to  conventional  warfare,  for  a  counter  attack  to  be  useful,  the  defender  must  first 
have  troops  that  are  well  trained  in  warfare.  If  the  defender  only  starts  drafting  soldiers 
and  training  them  when  an  adversary  is  attacking,  it  will  be  too  late.  A  city  may  be 
overrun  before  any  counter  attack  can  take  place.  Soldiers  need  to  be  trained  and  well 
equipped,  so  that  they  can  be  deployed  at  any  time.  In  the  cyber  aspect,  the  defender  must 
have  adequate  exploits  in  place  to  launch  a  successful  counter  attack.  Moreover,  if  the 
defender  intends  to  booby-trap  sensitive  documents  that  the  attacker  is  downloading,  the 
defender  needs  to  be  able  to  detect  the  attacker’s  activity  and  insert  a  Trojan  into  the 
stolen  files  while  the  attack  is  in  progress  and  without  slowing  down  the  attacker’s 
downloads. 

2.  Nontechnical  Considerations 

Conducting  cyber  attacks,  including  active  cyber  defense,  is  controversial.  Widely 
accepted  principles  for  fighting  conventional  wars  have  been  encoded  in  the  international 
law  of  armed  conflict  (LOAC),  which  includes  the  Geneva  and  Hague  Conventions,  and 
the  UN  Charter.  But  what  about  cyber  attacks?  Would  it  be  legal  and  ethical  under  the 
LOAC  to  conduct  a  defensive  cyber  attack  (be  it  a  counter,  preventive,  or  preemptive 
attack)  against  another  nation?  And  what  would  the  appropriate  justifications  be?  In  the 
cyber  attack  against  Estonia,  given  the  lack  of  assistance  from  the  Russian  government, 

Jordan  Robertson,  “Google  Attack  Highlights  ‘Zero-Day’  Black  Market,”  Seattle  Times,  28 
January  2010, 

http://seattletimes.nwsource.eom/html/businesstechnologv/2010916578  apustecchinagooglesecurityhole.ht 
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would  it  have  been  acceptable  for  Estonia  to  launch  a  cyber  attack  or  exploitation  against 
those  computers  in  Russia?  Or  in  the  case  of  GhostNet,  would  it  have  been  lawful  for  the 
various  countries  infected  by  GhOst  RAT  to  conduct  cyber  exploitations  and  counter 
cyber  attacks  against  the  service  providers  and  computers  located  in  China?  Would 
attacking  the  service  providers,  being  uninvolved  third  parties,  have  been  deemed 
acceptable  collateral  damages?  In  conventional  war,  these  actions  could  be  defended  on 
the  basis  of  self-defense  when  non-excessive  collateral  damage  is  often  acceptable. 
However,  at  present,  there  is  considerable  uncertainly  in  addressing  these  issues  under 
international  law  and  the  lack  of  a  unified  framework,  Finally,  apart  from  these,  the 
ethics  of  cyber  attacks  need  to  be  considered  too. 

D.  FURTHER  RESEARCH 

Looking  at  the  above-mentioned  considerations,  there  are  some  possible  avenues 
for  future  research.  One  important  issue  to  note  is  that  the  research  time  required  to  find 
new  vulnerabilities  and  exploits  needs  to  be  reduced.  As  discussed,  often  computer 
systems  are  upgraded  with  newer  versions  of  software.  If  it  takes  too  long  to  find  a  zero- 
day  vulnerability,  then  a  working  exploit  may  not  be  available  when  the  need  for  a 
counter  cyber  attack  arises.  At  present,  researchers  rely  on  both  manual  efforts  and 
automated  tools,  such  a  fuzzer,!^^  to  send  multiple  malformed  data  into  software,  forcing 
them  to  crash.  Then,  by  analyzing  the  crash  information  and  further  manipulation  of  the 
malformed  data,  the  researcher  may  be  able  to  generate  software  code  to  exploit  the 
vulnerability  that  caused  the  crash.  However,  this  whole  process  is  challenging  and 
tedious  and  often  fails  to  yield  results.  As  such,  any  research  in  improving  the  process  of 
vulnerability  detection  and  exploit  generation  would  be  very  helpful. 

Another  possible  area  of  research  would  be  in  the  automation  of  Trojan  injection 
into  documents.  One  of  the  counter  cyber  attack  examples  described  above  involves  the 
insertion  of  a  Trojan  into  documents  that  the  attacker  was  detected  to  be  downloading. 
An  automated  system  needs  to  be  in  place  to  facilitate  that  detection  and  automatically 
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insert  the  Trojan  into  the  relevant  documents.  This  could  be  something  similar  to  that  of 
an  Intrusion  Detection  System  (IDS),  but  with  the  ability  to  alter  the  content  of  the 
documents  in  real  time. 

A  third  area  of  research  is  in  the  policy  area.  As  Professor  Jay  Kesan  mentioned  in 
his  paper  “Mitigative  Counterstrike,”  there  is  a  need  “to  legally  solidify  the  right  to  use 
self-defense  in  cyberspace,  while  also  protecting  the  rights  of  potential  uninvolved  third 
parties  who  might  be  harmed  by  mitigative  counterstrikes.”i'^3  Thus,  further  research 
could  be  conducted  so  as  to  construct  a  framework  for  new  cyber-specific  legal  principles 
that  could  be  adopted  by  the  international  community.  The  framework  should 
complement  existing  international  laws  and  address  the  use  of  active  cyber  defenses, 
particularly  conditions  under  which  their  use  would  be  appropriate;  privacy  issues;  and 
collateral  damage.  In  this  regard,  the  U.S.  has  reportedly  started  crafting  such  a  legal 
framework,  However,  until  it  is  completed  and  accepted  by  other  nations  in  the  world, 
the  use  of  active  cyber  defense  is  likely  to  continue  to  engender  controversy. 


143  “Mitigative  counterstriking;  Self-Defense  and  Deterrence  in  Cyberspace,”  3. 
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